Uniwinnicrypt ransomware charges over $550k for file recovery
The SonicWall Capture Labs threat research team have been tracking a ransomware family named Uniwinnicrypt. This malware is aimed at large corporations and the operators charge over $550k USD in crypto (Monero and Bitcoin) for file recovery. A custom chat site hosted on the tOr network is provided by the operators for negotiations with their victims. However, conversations between the victims and operators are publicly accessible.
Infection cycle:
Upon infection, code is injected into grpconv.exe, iexpress.exe or write.exe. This code performs the encryption of files on the system:
The extension “.uniwinnicrypt” is appended to all encrypted files.
HOW_FIX_FILES.htm is dropped into all directories where files were encrypted. It contains the following message:
The tOr link leads to the following page:
After entering the requested information, the following existing conversation between a victim (not us) and the operator can be seen:
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Uniwinnicrypt.RSM (Trojan)
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.
